CVE-2019-18211

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-18211
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18211.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-18211
Published
2019-12-23T23:15:12.177Z
Modified
2026-04-10T04:16:36.716012Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Orckestra C1 CMS through 6.6. The EntityTokenSerializer class in Composite.dll is prone to unvalidated deserialization of wrapped BinaryFormatter payloads, leading to arbitrary remote code execution for any low-privilege user.

References

Affected packages

Git / github.com/orckestra/c1-cms-foundation

Affected ranges

Type
GIT
Repo
https://github.com/orckestra/c1-cms-foundation
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
66e1af903237745babf015d152c17584350eeb27
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.6"
        }
    ]
}

Affected versions

5.*
5.2
v2.*
v2.0
v2.1
v2.1.1
v3.*
v3.0
v3.1
v3.2
v4.*
v4.0
v4.1
v4.2
v4.2-update.1
v4.3
v5.*
v5.0
v5.0-beta.1
v5.1
v5.3
v5.4
v5.5
v6.*
v6.0
v6.1
v6.2
v6.3
v6.4
v6.5
v6.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18211.json"